Query Details
X 1 Label Downgrade X Cloud App External Upload
Query
// X-1 - Purview label downgrade ⨯ CloudAppEvents external upload (10 min window)
// Run in: security.microsoft.com -> Hunting -> Advanced hunting (UNIFIED PORTAL ONLY)
// Requires: Sentinel onboarded to Defender XDR so MicrosoftPurviewInformationProtection is queryable beside CloudAppEvents
let downgrades =
MicrosoftPurviewInformationProtection
| where TimeGenerated > ago(7d)
| where isnotempty(OldSensitivityLabelId) and OldSensitivityLabelId != SensitivityLabelId
| project DowngradeTime=TimeGenerated, AccountUpn=UserId, ItemName, ObjectId,
OldLabel=OldSensitivityLabelId, NewLabel=SensitivityLabelId;
let cloudUploads =
CloudAppEvents
| where Timestamp > ago(7d)
| where ActionType in ("FileUploaded","FileSharedExternally","FileDownloaded")
| project UploadTime=Timestamp, AccountUpn=AccountObjectId, AccountUserName=AccountDisplayName,
ApplicationName=Application, ActionType, ObjectName, IPAddress;
downgrades
| join kind=inner cloudUploads on AccountUpn
| where UploadTime between (DowngradeTime .. (DowngradeTime + 10m))
| project DowngradeTime, UploadTime, AccountUpn, ItemName, ObjectName,
OldLabel, NewLabel, ApplicationName, ActionType, IPAddress
| order by DowngradeTime desc
Explanation
This query is designed to identify and analyze instances where a sensitivity label downgrade occurs on a file, followed by an external upload action within a 10-minute window. Here's a simplified breakdown of what the query does:
-
Data Sources: The query uses two data sources:
- MicrosoftPurviewInformationProtection: This contains information about changes in sensitivity labels on files.
- CloudAppEvents: This logs events related to file uploads, sharing, and downloads.
-
Downgrade Detection:
- It looks for events in the past 7 days where a file's sensitivity label was downgraded (i.e., the old label is different from the new label).
- It captures details such as the time of downgrade, user account, file name, and both old and new labels.
-
Cloud Upload Events:
- It filters for cloud events in the past 7 days where files were uploaded, shared externally, or downloaded.
- It records details like the time of upload, user account, application used, action type, file name, and IP address.
-
Correlation:
- The query joins the two datasets on the user account to find instances where a file was downgraded and then uploaded externally within 10 minutes.
- It selects relevant details from these correlated events, such as times of downgrade and upload, user account, file names, labels, application, action type, and IP address.
-
Output:
- The results are ordered by the time of the downgrade, showing the most recent events first.
In essence, this query helps security analysts identify potential data exfiltration risks by highlighting cases where files have their sensitivity reduced and are then quickly shared externally.
Details
David Alonso
Released: May 25, 2026
Tables
MicrosoftPurviewInformationProtectionCloudAppEvents
Keywords
MicrosoftPurviewInformationProtectionCloudAppEventsSecurityMicrosoftSentinelDefenderXDR
Operators
let|where>ago()isnotempty()and!=projectinjoinkind=inneronbetween..+order bydesc